please move this stuff into DNS
Posted Dec 25, 2008 14:11 UTC (Thu) by TRS-80
In reply to: please move this stuff into DNS
Parent article: SSL man-in-the-middle attacks
I think the problem with putting the cert fingerprint into DNS is the application doesn't know if the response was secured by DNSSEC or not.
To get rid of CAs for basic cert uses, which is protecting passwords from being sent in the clear, Mozilla should be implementing and advocating RFC 5054, TLS/SRP, however NSS (a Mozilla subproject) won't add it until Mozilla does the UI work, but Mozilla wants to do the UI work as extensions, so needs NSS done first.
to post comments)